2014-12-12 - RANSOMWARE INFECTION AFTER NUCLEAR EK FROM 128.199.52.211 - YQUESRERMAN.GA

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

Nuclear EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7.6:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-12-12-Nuclear-EK-flash-exploit.swf
File size:  21.8 KB ( 22361 bytes )
MD5 hash:  9b3ad66a2a61e8760602d98b537b7734
Detection ratio:  0 / 56
First submission:  2014-12-13 01:24:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/00730977f6a6c1e8a7221a11785e525cdc2a39638b869d77da9b828e4643f839/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-12-12-Nuclear-EK-silverlight-exploit.xap  (same as the one from 2014-12-10)
File size:  6.8 KB ( 6924 bytes )
MD5 hash:  87d140b1b68cbe2b46a4a355fbd87a09
Detection ratio:  10 / 55
First submission:  2014-12-10 18:31:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a0b5876419025568915bfea24d22163169f4b3634935edafd998c26d57900055/analysis/

 

MALWARE PAYLOAD:

File name:  2014-12-12-Nuclear-EK-malware-payload.exe
File size:  225.0 KB ( 230400 bytes )
MD5 hash:  bf230af91ac92924a745f42021abbba0
Detection ratio:  7 / 53
First submission:  2014-12-13 01:24:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/18cb84c0d9c87fa5ed74da826270bd416aa039795b731fc91e700b03b7738610/analysis/
Malwr link:  https://malwr.com/analysis/M2QxMWFiZTc5YjNkNGI0MjkwY2RhMGViMjNkOTdmOTA/

 

SCREENSHOTS

Full view of the ransomware screen from the infected VM:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.